LAPSUS$ Claims AstraZeneca Breach and Offers Alleged Internal Data for Sale
A threat actor using the LAPSUS$ name has claimed an alleged breach of AstraZeneca and is offering a purported 3GB compressed dump of internal data for sale rather than releasing it publicly. Posted samples and screenshots were used to support the claim, with reports describing a pay-to-access extortion model and password-protected links containing redacted material as proof of access. The allegedly stolen data includes source code, cloud infrastructure configurations, employee and contractor-related records, and access material such as cryptographic keys, Vault credentials, and GitHub and Jenkins tokens.
Analysis of the shared samples suggested that some data, including GitHub Enterprise-style user information and third-party contractor access records, appeared plausibly authentic and internally sourced, while at least one financial dataset looked generic and possibly unrelated. Public references to an internal repository tied to AstraZeneca’s supply-chain portal indicate possible exposure of systems supporting forecasting, inventory tracking, SAP integration, and OTIF delivery metrics. The most serious risk would come from any genuine secrets, private keys, or cloud configuration data, but the breach claim and full scope of the exposed material remained unverified, and AstraZeneca had not publicly confirmed the incident at the time of reporting.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
3 events from the most recent confirmed update back to the earliest known activity.
AstraZeneca has not publicly confirmed the alleged incident
By the time the reports were published, AstraZeneca had been contacted for comment but had not issued a public statement confirming the alleged breach. Both reports noted that the claims and attribution remained unverified at that stage.
Analysis of posted samples suggests some AstraZeneca-linked data may be authentic
Review of the shared samples indicated that some materials, including GitHub Enterprise-style user data, contractor access records, and references to an internal supply-chain repository, appeared plausibly authentic and internally sourced. Reported sample content also pointed to possible exposure of source code, cloud configurations, and secrets such as keys and tokens, though direct verification remained incomplete.
LAPSUS$ claims AstraZeneca breach and offers 3GB dataset for sale
A threat actor using the LAPSUS$ name claimed responsibility for an alleged breach of AstraZeneca and said it had stolen about 3GB of internal data. The actor reportedly began marketing the data for sale using teaser samples, screenshots, and restricted links rather than releasing the material publicly.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
3 references tracked. Mallory keeps watching after this page renders.
Cybercrime group Lapsus$ claims the hack of pharma giant AstraZeneca - Security Affairs
securityaffairs.com
Open sourceAstraZeneca Data Breach - LAPSUS$ Group Allegedly Claims Internal Data
cybersecuritynews.com
Open sourceHacker Group LAPSUS$ Claims Alleged AstraZeneca Data Breach
hackread.com
Open sourceSee the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
Lapsus$ Claims AstraZeneca Breach Exposed Source Code and Internal Credentials
Lapsus$ claimed it breached **AstraZeneca** and published allegedly stolen data on its blog and a dark web leak forum, with reports saying the cache includes full source code, employee databases, GitHub Enterprise user data, internal API keys, AWS keys, service accounts, and `MongoDB` and `MySQL` credentials. Researchers who reviewed sample files said parts of the leak appeared credible, citing source code tree structures, GitHub user information, employee details tied to AstraZeneca-related clinical research companies, and GitHub Actions logs containing developer email addresses and hardcoded secrets, including RSA private keys and database credentials. The exposed material appears to be concentrated on AstraZeneca’s technical infrastructure and employee information rather than patient medical records, but the incident raises immediate risks if any leaked credentials remain active. Valid keys and account data could enable follow-on intrusions into AstraZeneca systems, targeted phishing and social engineering against staff, and deeper analysis of proprietary code and internal environments by attackers seeking intellectual property or additional access.
May 25, 2026
Checkmarx Confirms Dark Web Leak of Data Taken From Internal GitHub Repository
Checkmarx said data stolen during its March supply chain intrusion has been published on the dark web, with investigators tracing the exposure to a corporate GitHub repository accessed during the initial attack. The company said the affected repository was part of its developer environment, not its customer production environment, and that current evidence indicates customer data was not stored there and remains unaffected. The disclosure follows reports that **LAPSUS$** listed Checkmarx on its leak site and claimed to possess source code, an employee database, API keys, and `MongoDB` and `MySQL` credentials. Checkmarx said it has locked down access to the repository and is continuing forensic analysis to determine exactly what source code or internal documentation was exfiltrated, while warning that the incident is part of a broader supply chain attack chain that also involved tampered GitHub Actions workflows, Open VSX plugins, and other developer tooling tied to the earlier compromise.
May 12, 2026
Hackers Claim InfoDesk Breach Exposed Employee Data at Pharma and Financial Firms
A threat actor has claimed to have breached enterprise intelligence software provider **InfoDesk** and is offering the allegedly stolen data for sale on a dark web forum. Reporting indicates the sample data included five records from each of 18 organizations, along with InfoDesk records, and the actor claimed to hold as many as 1,000 records in total. The exposed information reportedly consists primarily of employee full names and corporate email addresses tied to major organizations, including firms in the pharmaceutical, healthcare, financial, consulting, and nonprofit sectors; Cybernews specifically said the data involved employees at companies such as **Moderna**, **Johnson & Johnson**, and **Bayer**. Researchers said the immediate danger is not large-scale identity theft but highly targeted phishing and social-engineering attacks. Because the records appear linked to a known enterprise vendor, attackers could use the contact details to craft convincing lures for credential theft, malware delivery, or follow-on business email compromise. The alleged incident adds to broader concerns over third-party supplier exposure, where compromises at service providers can create downstream risk for multiple corporate customers at once.
May 25, 2026